Hack Hangover: The News Keeps Getting Worse for Equifax

Since the massive data breach at Equifax Inc. was disclosed late Thursday (see our blog here), the news has only gotten worse for the Atlanta-based credit monitoring agency. Here’s a brief chronological recap of what we know so far:

▪ On July 29th, Equifax discovered that a hacker exploited a “U.S. website application vulnerability” to gain access to “certain files” from mid-May through July 2017.

▪ It’s unclear what “files” were accessed, although the company says it has found “no evidence of unauthorized activity on Equifax’s core consumer or commercial credit reporting databases.”

▪ On September 7th, the company disclosed the breach and said that as many as 143 million U.S. consumers might be affected. The information accessed “primarily includes” names, Social Security numbers, birth dates, addresses and in some cases, driver’s license numbers. Credit card information for more than 200,000 Americans and “certain dispute documents with personal identifying information” were also compromised, which affects another 182,000 U.S. residents.

▪ Equifax stock (EXF) fell at the market open by more than 20% but ended the day down about 14%.

▪ News reports stirred concern that three of the company’s top executives – including the CFO – sold nearly $2 million in company stock after the breach was discovered but before it was publicly disclosed. See news coverage here.

▪ By late Thursday, two putative class action lawsuits had been filed against Equifax in federal courts in Portland and Atlanta.

▪ Consumer backlash was quick and intense, upbraiding the company for its lack of responsiveness and transparency over how to sign up for credit card monitoring and confusion over whether its “terms of service” for the remedial credit card monitoring offered to breach victims waived their legal rights to sue the company.

▪ On September 8th, Rep. Ted Lieu of California asked the House Judiciary Committee to call a hearing to address the Equifax breach. He wants the heads of the big three credit bureaus – Equifax, Experian and TransUnion – to tell Congress what steps they are taking to protect consumer information. Senator Mark R. Warner of Virginia, head of the Senate’s Cybersecurity Oversight Caucus, called the breach “profoundly troubling” and called for more consumer protections against data theft. Two House committees have already announced that they will hold hearings.

▪ The same day, New York Attorney General Eric T. Schneiderman announced an investigation into the breach which – according to a statement from his office – has affected 8 million New Yorkers. Attorney generals in at least four other states have already launched investigations.

▪ News reports say that the Federal Bureau of Investigation is looking into the breach. There were also unconfirmed reports that the Consumer Financial Protection Bureau and the U.S. Federal Trade Commission are investigating the incident.

▪ Yesterday afternoon, Equifax issued a statement seeking to clarify its “terms of service” and confirmed that signing up for free monitoring did not waive a consumer’s right to sue the company.

"To confirm, enrolling in the free credit file monitoring and identity theft protection products that we are offering as part of this cybersecurity incident does not prohibit consumers from taking legal action," Equifax said. The company said it has now removed the arbitration language from the terms of use on its data breach notification site, equifaxsecurity2017.com. It also said Sunday that the terms of use on Equifax's main site, equifax.com, do not cover the TrustedID Premier service, which has its own terms of use. "Again," Equifax continued, "to be as clear as possible, we will not apply any arbitration clause or class action waiver against consumers for claims related to the free products offered in response to the cybersecurity incident or for claims related to the cybersecurity incident itself.”